RISKS-LIST: Risks-Forum Digest Thursday 15 February 2024 Volume 34 : Issue 07
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.0xy> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Waymo recalls software after two self-driving cars hit the same truck (CNN) Tesla's latest screwup involves making the font size of its braking system too small (The Verge) OpenAI Gives ChatGPT a Memory (WiReD) Imran Khan's 'Victory Speech' from Jail Shows AI's Peril, Promise" (Yan Zhuang) Threats to Election Systems Prompt U.S. Cybersecurity Agency to Boost Cooperation with States (Christina A. Cassidy) Odometers: A voting machine analogue (Jeremy Epstein) Spying on Security Cameras Through Walls (Rizwan Choudhury) Cryptography-Breaking Algorithm Upgraded (Madison Goldberg) How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin's Anonymity (WiReD) Anxiety, Mood Swings and Sleepless Nights: Life Near a Bitcoin Mine (NYTimes via Jan Wolitzky) Amazon Prime Video Ad Tier Sparks Class Action Lawsuit From Subscribers (Hollywood Reporter) Noname Storage Devices are not always what they seem (ArsTechnica) Mozilla lays off 60 people, wants to build AI into Firefox (ArsTechnica) Robocalls, ringless voicemails and AI: Real estate enters the age of automation (LA Times) Uber Fined Almost $11 Million by Dutch Privacy Watchdog (WSJ) Automatic braking systems don't work at typical speeds? (Steve Bacher on LA Times coverage) Chrome devs working on automatic micropayments to websites without user interactions directly from wallets (The Register) Small outtakes from a big war, part 4: The end of GPS (Amos Shapir) Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown (ArsTechnica) Google Scholar can be manipulated (arxiv via LW) Google's and Microsoft's chatbots are making up Super Bowl stats (TechCrunch) There's a hole in the boot, part deux (Cliff Kilby) Amazon hides cheaper items with faster delivery, lawsuit alleges (ArsTechnica) Russia Is Using Elon Musk’s Starlink at the Front Line, Ukraine Says (WSJ) Tech giants prepare pledge to fight deceptive AI election content (Politico) Help! His HP Envy doesn't work. Can he get a replacement or a refund? (Gabe Goldberg) Re: Why the 737 MAX 9 door plug blew out (Henry Baker) The Friar Who Became the Vatican's Go-To Guy on AI (NYTimes) Why Bloat Is Still Software’s Biggest Vulnerability (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 14 Feb 2024 16:11:51 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Waymo recalls software after two self-driving cars hit the same truck (CNN) https://www.cnn.com/2024/02/14/business/waymo-recalls-software-after-two-self-driving-cars-hit-the-same-truck/index.html [Redundancy is supposed to be constructive! PGN] ------------------------------ Date: Fri, 2 Feb 2024 18:40:07 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Tesla's latest screwup involves making the font size of its braking system too small (The Verge) https://www.theverge.com/2024/2/2/24059114/tesla-recall-brake-system-font-size-power-steering ------------------------------ Date: Tue, 13 Feb 2024 20:21:54 PST From: "Peter G. Neumann" <neum...@csl.sri.com> Subject: OpenAI Gives ChatGPT a Memory (WiReD) [Give it a memory so it will remember its previous misrepresentations, and repeat them??? PGN] https://www.wired.com/story/chatgpt-memory-openai/ ChatGPT is now like a first date who never forgets the details. ------------------------------ Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Imran Khan's 'Victory Speech' from Jail Shows AI's Peril, Promise" (Yan Zhuang) Yan Zhuang, *The New York Times*, 11 Feb 2024 Despite being imprisoned, former Pakistan Prime Minister Imran Khan has garnered support for his political party using AI. Khan's AI-generated voice was used to make a victory speech on Feb. 10, stating that his party, Pakistan Tehreek-e-Insaf, won the most seats in the general election. The speech, which featured a disclaimer about the use of AI, rejected the victory claim of Khan's rival and called on supporters to defend the election's results ------------------------------ Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Threats to Election Systems Prompt U.S. Cybersecurity Agency to Boost Cooperation with States (Christina A. Cassidy) Christina A. Cassidy, *Associated Press*,8 Feb 2024 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is rolling out a program to help state and local election officials enhance election security. The agency hired 10 new people for the program, each with significant election experience, who will be placed at various locations nationwide to work alongside staff already performing cyber and physical security reviews as requested by election offices. ------------------------------ Date: Tue, 13 Feb 2024 10:19:42 -0500 From: Jeremy Epstein <jeremy.j.epst...@gmail.com> Subject: Odometers: A voting machine analogue I had a conversation with someone this morning about electronic odometers in modern cars. If you recall, they were mandated because the old (mechanical) odometers were being rolled back, allowing used cars to be sold for higher prices. Maybe others were aware, but electronic odometers are now rolled back. If you go to eBay, "odometer correction tools" for ~$300 can make whatever adjustments you want. They're not subtle -- on one I looked at, it shows the before and after odometer reading, subtracting off 40,000 kilometers. (I don't know if the devices are illegal in the US, or just the act of changing the odometer.) Carfax claims that rollbacks are up significantly in the past few years (*). I'd imagine they have some incentive to detecting manipulations, since they could get sued by the consumer (or state) if they sell vehicles with tampered odometers. Anyway, the motivation for moving from paper to [particularly unauditable] DREs 25 years ago was (in part) to reduce ballot fraud, and we know how that went. I'm not predicting a return to mechanical odometers the way we've returned to paper ballots, but I found it an interesting analogue. Moving to electronic systems doesn't always have the expected result! (*) https://www.carfax.com/press/resources/odometer [This item is repurposed with permission from a list devoted to trustworthy elections. However, this bit of wisdom also applies to the audit trails for security, reliability, and trustworthiness monitoring if they can be surreptitiously altered. PGN] ------------------------------ Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Spying on Security Cameras Through Walls (Rizwan Choudhury) Rizwan Choudhury, *Interesting Engineering*, 11 Feb 2024 Northeastern University researchers have developed a way to access video feeds from home security, dashboard, and smartphone cameras through walls. The EM Eye technique detects electromagnetic radiation emitted by the cameras' wires using a radio antenna, decodes the signal, and uses machine learning to reproduce real-time video without sound at a similar quality as the original. A test on 12 different types of cameras revealed that, depending on the model, EM Eye could successfully eavesdrop within a range of up to 16 feet. ------------------------------ Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Cryptography-Breaking Algorithm Upgraded (Madison Goldberg) Madison Goldberg, *WiReD*, 11 Feb 2024 Cryptographers at the University of California, San Diego have developed a more efficient LLL-style algorithm, based on the original lattice-based cryptography-breaking algorithm released in 1982. The algorithm, named after the researchers who published it -- Arjen Lenstra, Hendrik Lenstra Jr., and L=C2=B7szl=C3=9B Lov=C2=B7sz -- has also proven useful in advanced mathematical arenas such as computational number theory. The new algorithm can break tasks down into smaller pieces and better balance speed and accuracy. ------------------------------ Date: Fri, 9 Feb 2024 12:21:14 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin's Anonymity (WiReD) Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong —- and set the stage for a decade-long crackdown. https://www.wired.com/story/27-year-old-codebreaker-busted-myth-bitcoins-anonymity ------------------------------ Date: Sat, 3 Feb 2024 14:28:50 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Anxiety, Mood Swings and Sleepless Nights: Life Near a Bitcoin Mine (NYTimes) On a sweltering July evening, the din from thousands of computers mining for Bitcoins pierced the night. Nearby, Matt Brown, a member of the Arkansas legislature, monitored the noise alongside a local magistrate. As the two men investigated complaints about the operation, Mr. Brown said, a security guard for the mine loaded rounds into an AR-15-style assault rifle that had been stored in a car. ``He wanted to make sure that we knew he had his gun -- that we knew it was loaded,'' Mr. Brown, a Republican, said in an interview. The Bitcoin outfit here, 45 minutes north of Little Rock, is one of three sites in Arkansas owned by a network of companies embroiled in tense disputes with residents, who say the noise generated by computers performing trillions of calculations per second ruins lives, lowers property values, and drives away wildlife. https://www.nytimes.com/2024/02/03/us/bitcoin-arkansas-noise-pollution.htm=l ------------------------------ Date: Tue, 13 Feb 2024 10:48:42 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Amazon Prime Video Ad Tier Sparks Class Action Lawsuit From Subscribers (Hollywood Reporter) The lawsuit takes aim at the ecommerce giant turning on ads for Prime Video users and charging them an additional fee for its ad-free tier. https://www.hollywoodreporter.com/business/business-news/amazon-prime-video-ad-tier-lawsuit-1235822779/ [Also noted by Gary Goldberg. PGN] ------------------------------ Date: Thu, 8 Feb 2024 08:30:03 -0500 From: Bob Gezelter <gezel...@rlgsc.com> Subject: Noname Storage Devices are not always what they seem (ArsTechnica) ArsTechnica reports that teardowns of unbranded USB memory devices have revealed a fair number to include discarded parts and parts used in inappropriate ways. This leads to failures and loss of data. In the past, unbranded media has been a questionable practice. This report should serve as a warning to carefully consider one's archival practices, particularly when selecting external storage devices for long-term storage. https://arstechnica.com/gadgets/2024/02/rejected-chips-hidden-microsd-cards-plague-the-usb-stick-market/ [If you haven't seen it already, please check out this paper, describing how a USB-C stick can stick-it-to-you, taking over your entire system: Thunderclap: Exploiting Operating-System IOMMU Bypass Vulnerabilities with DMA from Malicious Peripherals, A. Theodore Markettos et al., ICCD 2017. https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201711-iccd2017-efficient-tags.pdf https://www.repository.cam.ac.uk/handle/1810/288484 http://www.thunderclap.io PGN] ------------------------------ Date: Wed, 14 Feb 2024 12:53:45 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Mozilla lays off 60 people, wants to build AI into Firefox (ArsTechnica) Uh, no thanks -- There goes Firefox down the drain! -L https://arstechnica.com/gadgets/2024/02/mozilla-lays-off-60-people-wants-to-build-ai-into-firefox/ ------------------------------ Date: Wed, 14 Feb 2024 06:56:46 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Robocalls, ringless voicemails and AI: Real estate enters the age of automation (LA Times) https://www.latimes.com/california/story/2024-02-14/robocalls-ringless-voicemails-and-ai-real-estate-enters-the-age-of-automation ------------------------------ Date: Thu, 1 Feb 2024 02:45:15 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Uber Fined Almost $11 Million by Dutch Privacy Watchdog (WSJ) Ride-hailing company made it difficult for drivers to access their information and failed to sufficiently disclose its data practices, regulator says https://www.wsj.com/articles/uber-fined-almost-11-million-by-dutch-privacy-watchdog-ddd57a80 ------------------------------ Date: Sat, 10 Feb 2024 09:42:43 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Automatic braking systems don't work at typical speeds? This is from the LA Times coverage of the Rebecca Grossman hit-and-run murder case: https://www.latimes.com/california/story/2024-02-10/judge-declines-to-dismiss-murder-charges-against-rebecca-grossman-as-prosecution-rests Excerpts: Prosecutors rested their case with a retired California Highway Patrol officer turned crash expert, John Grindey, who testified that Grossman *was going so fast that her Mercedes safety system couldn't detect the two boys in the crosswalk to automatically apply the brakes.* Emphasizing the repeated prosecution theme of deadly speed, Grindey said Grossman’s Mercedes 43 GLE approached the Triunfo Canyon Road crosswalk at 81 mph. *“Over ... 44 mph, [the safety system] does not detect small children,”* he told jurors. [Really? These highly touted safety systems aren't effective enough to be relied upon? "Over 44 mph" is well below the standard speed limit on American highways.] ------------------------------ Date: Wed, 14 Feb 2024 08:09:19 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Chrome devs working on automatic micropayments to websites without user interactions directly from wallets What could possibly go wrong? Oh yeah, count me OUT. -L https://www.theregister.com/2024/02/13/google_micropayments_plan/ Also, scroll down for the comments on Slashdot: https://tech.slashdot.org/story/24/02/13/2244212/chrome-engine-devs-experiment-with-automatic-browser-micropayments ------------------------------ Date: Wed, 14 Feb 2024 18:25:09 +0200 From: Amos Shapir <amos...@gmail.com> Subject: Small outtakes from a big war, part 4: The end of GPS Over the weekend I was hiking in northern Israel, using a free navigation app. Somewhere along the route, the app noted: "Distance to target: 144 km", so I asked it to show me where it thinks I was: In the middle of an airport. Beirut airport. At the end of the hike, it showed that I'd walked 878 km -- 8 km actual hiking, plus 870 km of phantom-hiking 3 times to Beirut and back. It seems that on a few spots along the way, someone (or something) was spoofing GPS, in order to deflect or confuse incoming GPS-guided missiles. I don't know if that actually worked, but it's a fact that since the start of the war, hundreds of rockets were fired across the border, but none of them were the supposedly accurate long-range ones. More serious apps like Waze and Google Maps did not fall for this trick, and just marked those spots as temporary loss of GPS signal, but my Google timeline still shows this visit to Beirut. ------------------------------ Date: Wed, 14 Feb 2024 00:55:39 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Canada declares Flipper Zero public enemy No. 1 in car-theft crackdown https://arstechnica.com/?p=2002579 [Also noted by Gary Goldberg and Lauren Weinstein who suggests that Banning such a device is useless. It's all open source. -L https://arstechnica.com/security/2024/02/canada-vows-to-ban-flipper-zero-device-in-crackdown-on-car-theft/ PGN] ------------------------------ Date: Thu, 8 Feb 2024 10:39:28 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Google Scholar can be manipulated https://arxiv.org/abs/2402.04607 ------------------------------ Date: Sun, 11 Feb 2024 16:57:03 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Google's and Microsoft's chatbots are making up Super Bowl stats (TechCrunch) https://techcrunch.com/2024/02/11/googles-and-microsofts-chatbots-are-making-up-super-bowl-stats/ ------------------------------ Date: Tue, 6 Feb 2024 23:57:59 -0500 From: Cliff Kilby <cliffjki...@gmail.com> Subject: There's a hole in the boot (part deux) Everyone recall boothole? https://eclypsium.com/research/theres-a-hole-in-the-boot/#breaking yadda yadda buffer overflow, yadda malicious bootloader...cue massive UEFI patch and dbx update scramble. It's back. Similar root cause, buffer overflow, different vector. This ones in netbooting (i/PXE). https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/ This one isn't as concerning though. Certainly no system is in place that sources boot images outside of your local datacenter. Right? ------------------------------ Date: Wed, 14 Feb 2024 00:54:09 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Amazon hides cheaper items with faster delivery, lawsuit alleges (ArsTechica) https://arstechnica.com/?p=2002777 ------------------------------ Date: Sun, 11 Feb 2024 12:46:35 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Russia Is Using Elon Musk’s Starlink at the Front Line, Ukraine Says Russian access to satellite Internet system would negate a major battlefield advantage for Kyiv. https://www.wsj.com/world/russia-using-musks-starlink-at-the-front-line-ukraine-says-516701f0 ------------------------------ Date: Tue, 13 Feb 2024 9:34:12 PST From: Peter Neumann <neum...@csl.sri.com> Subject: Tech giants prepare pledge to fight deceptive AI election content (Politico) Oc=E9ane Herrero, Gian Volpicelli, Antoaneta Roussi Politico, 13 Feb 2024 Technology giants are planning a new industry accord to fight back against deceptive AI artificial intelligence election content that is threatening the integrity of major democratic elections across the world this year. A draft Tech Accord, seen by POLITICO, showed technology companies want to work together to create tools like watermarks and detection techniques to spot, label and debunk deepfake AI-manipulated images and audio of public figures. The pledge also includes commitments to open up more about how the firms are fighting AI-generated disinformation on their platforms. ``We affirm that the protection of electoral integrity and public trust is a shared responsibility and a common good that transcends partisan interests and national borders.'' The text, which is a draft and could still change, is planned to be presented when political and security leaders gather at the Munich Security Conference starting Friday. The conference has seen tech firms take up increasing attention and space throughout the years, as threats like informational warfare and cyberattacks have risen. The draft Tech Accord has the backing of technology giants Microsoft, Google and Facebook and Instagram owner Meta, according to four people with knowledge of the process, granted anonymity because discussions were ongoing. Three of the people said TikTok, OpenAI and Adobe are also planning to sign. Other companies are likely to join the initiative still. Meta confirmed to POLITICO it was part of the accord, adding that Adobe, Google, LinkedIn, Microsoft, OpenAI and TikTok would also join. Google and OpenAI did not respond to a request for comment in time for publication. Microsoft declined to comment. A report <https://y3r710.r.eu-west-1.awstrack.me/L0/https:%2F%2Fdmp.politico.eu%2F%3Femail=eisg...@hq.acm.org%26destination=https:%2F%2Fsecurityconference.org%2Fen%2Fpublications%2Fmunich-security-report-2024%2F/1/0102018da0d736fa-aa3488f1-c874-4b13-b314-7c53289fb400-000000/j_oILCStne_BdVJquv0ThZAm4dc=360> by the Munich Security Conference organizers, presented Monday, showed how fears around artificial intelligence had shot up in the past year in major global economies, especially in Italy, France and Brazil. Tools to fight the deepfake flood Tech firms are under pressure from governments including the European Union to get a grip on the problem of AI-generated deepfakes and misleading material. Several firms, including OpenAI and Meta, have said they will start labeling deepfakes in the coming months. Political deepfakes have already popped up in the United States, Poland and the United Kingdom, among many other countries. Most recently, the U.S. was rocked by a robocall impersonating President Joe Biden, raising fears over the tech's impact on the country's politics. The European Union's Artificial Intelligence Act would require all AI-generated content to be clearly labeled as such; the bloc is also using its Digital Services Act to force the tech industry to curb deepfakes. The draft accord floated ideas including developing detection technology, open standards-based identifiers for deepfake content and watermarks using the standards C2PA and SynthID, which are existing initiatives that involve Microsoft, Google and a wide range of other tech firms. But it added technical tools like metadata, watermarking, classifiers, or other forms of provenance or detection techniques can't fully mitigate the risks of AI, suggesting that the initiative would need the support of governments and other organizations to raise public awareness on the issue of deepfakes. Others in the technology industry criticized the initiative because it would divert attention from keeping tech companies in check with regulation and oversight. Democracies are ``well past the era where we can trust companies to self regulate,'' Meredith Whittaker, co-founder of the AI Now Institute, who saw a draft of the document last week, told POLITICO. ``Deepfake doesn't really matter unless you have a platform you can disseminate it on,'' arguing the pledge failed to address issues with how social media platforms and advertising models are used to target certain voters ------------------------------ Date: Fri, 9 Feb 2024 12:28:16 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Help! His HP Envy doesn't work. Can he get a replacement or a refund? (NOT MY) Question to consumer advocate: I recently had a very, very painful experience when I bought an HP Envy x360 2-in-1 laptop. I received it a few months ago, and the product was defective. The touch screen did not work. I wasted 40 hours on the phone with HP tech support but could not get a replacement screen. I finally sent it back to HP for a repair. HP recently told me that it couldn't get a replacement screen because it discontinued the laptop. I asked the company to send me a similar product, the HP Spectre x360 2-in-1 laptop, or refund the $1,434 I spent. But HP denied the exchange and refused me a full refund (it said I could not get the sales taxes back). I’d like HP to replace my broken laptop with one of equal or better value or send me a full $1,434 refund. Can you help? https://www.elliott.org/problem-solved/help-my-hp-envy-doesnt-work-can-i-get-a-replacement-or-a-refund/ [In RISKS, we generally do not run second-hand disgruntlements in which there would seem to be no likelihood of an end -- happy or otherwise -- to the story. But this type of problem appears to becoming more prevalent. PGN] ------------------------------ Date: Tue, 13 Feb 2024 03:20:44 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Re: Why the 737 MAX 9 door plug blew out Perhaps I'm incredibly naive, but it sounds to me that the 737 MAX 9 would be *safer* if the 'door plug' were replaced by an *actual door* ! An actual door can be seen and monitored; checked, whereas the 'door plug' (aka 'fake door') is painted over and ignored. There's a long history in the computer community of 'unintended/unexpected' *'upgrades'* -- e.g., pulling a wire 'upgrades' a computer to higher performance, dormant code that was never intended for execution suddenly becomes a platform for exploitation, etc. Sometimes excess 'optionality' has overwhelming costs... ------------------------------ Date: Sat, 10 Feb 2024 20:54:47 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: The Friar Who Became the Vatican's Go-To Guy on AI (NYTimes) Paolo Benanti advises the Roman Catholic Church and the Italian government on the tricky questions, moral and otherwise, raised by the rapidly advancing technology. https://www.nytimes.com/2024/02/09/world/europe/italy-artificial-intelligence-ethics.html?unlocked_article_code=1.Uk0.sIKe.loHOSAschYr4&smid=url-share (But who advises them on the semiconductors needed to implement that AI? Why, he's the Chip Monk.) ------------------------------ Date: Sat, 10 Feb 2024 09:46:56 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Why Bloat Is Still Software’s Biggest Vulnerability A 2024 plea for lean software Bert Hubert <https://spectrum.ieee.org/u/bert_hubert> writes: https://ethz.ch/en/news-and-events/eth-news/news/2024/01/computer-pioneer-niklaus-wirth-has-died.html>/ /This post is dedicated to the memory of //Niklaus Wirth/ computing pioneer who passed away 1 January 2024. In 1995 he wrote an influential article called “//A Plea for Lean Software/ <https://cr.yp.to/bib/1995/wirth.pdf>/,”//published in /Computer <https://ieeexplore.ieee.org/document/348001>/, the magazine for members of the IEEE Computer Society, which I read early in my career as an entrepreneur and software developer. In what follows, I try to make the same case nearly 30 years later, updated for today’s computing horrors. A version of this post was originally published/ <https://berthub.eu/articles/posts/a-2024-plea-for-lean-software/>/on my personal blog, Berthub.eu <http://berthub.eu>./us-wirth-has-died.html>/ [Niklaus was a legend. But the Bloat Still Rocks! and Leans. PGN] [Steve, The article is a bit wonky, for example: Software is now (rightfully) considered so dangerous that we tell everyone not to run it themselves. Instead, you are supposed to leave that to [?] a service provider, or perhaps just to the cloud. Compare this to a hypothetical situation where cars are so likely to catch fire that the advice is not to drive a car yourself, but to leave that to professionals who are always accompanied by professional firefighters. The assumption is then that the cloud is somehow able to make insecure software trustworthy. Yet in the past year, we've learned that Microsoft's email platform was thoroughly hacked <https://thehackernews.com/2023/09/outlook-breach-microsoft-reveals-how.html>, including classified government email. (Twice!) <https://metacurity.substack.com/p/russian-hacking-group-midnight-blizzard>) There are also well-founded worries about the security of the Azure cloud. <https://www.lastweekinaws.com/blog/azures-terrible-security-posture-comes-home-to-roost/> Meanwhile, industry darling Okta, which provides cloud-based software that enables user log-in to various applications, got comprehensively owned <https://www.reuters.com/technology/cybersecurity/okta-says-hackers-stole-data-all-customer-support-users-cyber-breach-2023-11-29/>. This was their second breach within two years. Also, there was a suspicious spate of Okta users subsequently getting hacked. PGN] ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.07 ************************
